On 28 September 2016 at 14:24, Mike West <mkwst@google.com> wrote: > On Tue, Aug 2, 2016 at 8:51 PM, Mike West <mkwst@google.com> wrote: > >> * In https://github.com/w3c/webappsec-secure-contexts/issues/43, Erik >> suggested that the move to exclude `localhost` was the wrong way to solve >> the problem, and that we should instead treat it as "secure" if it resolves >> to a loopback address. Recorded in the spec as >> https://w3c.github.io/webappsec-secure-contexts/#issue-8ea95bab. Without >> some change in the way that agent's DNS resolvers handle these names, I'm >> reluctant to change the spec, but perhaps pushing for that change is a >> reasonable thing to do. >> > > Following up on this now that we've hit CR: I've written up the change to > DNS resolvers suggested in the GitHub discussion at > https://tools.ietf.org/html/draft-west-let-localhost-be-localhost. > > The general response has been positive, but opinions from folks on this > list would be appreciated. If we can get something like this proposal > adopted in user agents, I'd be comfortable calling `localhost` as secure as > `127.0.0.1`. WDYT? > I currently use my browser to connect to localhost (via http and https). A couple of questions: 1. Is this spec something that affects user agents today, or something in future. Id love to hear a short description of how. 2. Is there an easy workaround? For example could I alias my localhost to be called another domain name via /etc/hosts or using a CNAME that tunnels through my firewall (which I think would work for me at home but not when im traveling). Or is there a flag to switch it off in the user agents settings. > > -mike >
Received on Wednesday, 28 September 2016 23:20:58 UTC